Computing systems are useful tools for the exchange of information among individuals. The information may include, but is not limited to, data, voice, graphics, and video. The exchange is established through interconnections linking the computing systems together in a way that permits the transfer of electronic signals that represent the information. The interconnections may be either cable or wireless. Cable connections include, for example, metal and optical fiber elements. Wireless connections include, for example infrared, acoustic, and radio wave transmissions.
Interconnected computing systems having some sort of commonality are represented as a network. For example, individuals associated with a college campus may each have a computing device. In addition, there may be shared printers and remotely located application servers distributed throughout the campus. There is commonality among the individuals in that they all are associated with the college in some way. The same can be said for individuals and their computing arrangements in other environments including, for example, healthcare facilities, manufacturing sites and Internet access users. A network permits communication or signal exchange among the various computing systems of the common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present embodiment, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
The process by which the various computing systems of a network or internetwork communicate is generally regulated by agreed-upon signal exchange standards and protocols embodied in network interface cards or circuitry and software, firmware and microcoded algorithms. Such standards and protocols were borne out of the need and desire to provide interoperability among the array of computing systems available from a plurality of suppliers. Two organizations that have been responsible for signal exchange standardization are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, the IEEE standards for internetwork operability have been established, or are in the process of being established, under the purview of the IEEE 802 committee on Local Area Networks (LANs) and Metropolitan Area Networks (MANs). The IEEE 802 also provide a service in the assignment of OUI and IAB values to define unique address space which may be assigned to individual organizations.
The identified organizations generally focus on the mechanics of network and internetwork operation, less so on rules and restrictions on access to, and the provisioning of services associated with, the network. Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/or the network attached function. For the purpose of the description of the present embodiment, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication of the offered attached function identity, that attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset. The basis upon which the network administrator grants particular permissions to particular attached functions in combination with the permissions is an established network usage policy. For example, one policy may be that any user (one type of attached function) with an employee identification number is granted access to the enterprise's electronic mail system at a specified bandwidth and QoS level.
Presently, the network administrator establishes policies. The policies are defined in and regulated through a policy server controlled by the administrator. The established policies are transmitted to the network interface devices of the network infrastructure at the connection point or port. As part of the authentication process, a particular set of policies are established by the administrator for that attached function. That is, the port at which that attached function is attached to the network infrastructure is configured to effect those policies. For example, QoS, bandwidth, and priority levels may be set at certain values for one identified attached function and at different levels for another attached function. Once that set of policies has been established for that attached function, there is typically no coordinated mechanism to revise the set of policies during network connection based on a change of circumstances.
Unfortunately, events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, access denial, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. There are currently two generally available forms of network protection designed to minimize such types of network harm. Firewalls are designed to prevent the passage of packets to the network based on certain limited specific conditions associated with the packets. Firewalls do not enable assigned policy modifications. Intrusion Detection Systems (IDS) are designed to observe packets, the state of packets, and patterns of usage of packets entering or within the network infrastructure for harmful behavior. However, the available IDS only report the existence of potentially harmful anomalies and do not enable responsive policy modification. Any adjustment to the state of permitted attached function network usage typically occurs manually after evaluation of the detected anomalies. There is presently little comprehensive capability available for continuous network system monitoring and network-forced adjustment or change of assigned network usage permissions based upon the detection of one or more conditions that would trigger such a change.
In certain limited instances, network usage (meaning first entry to the network system for the purpose of accessing the network services and the subsequent use of such services) may be restricted for reasons other than user authentication. For example, an attached function seeking usage of a discrete network system through dial-up or virtual private networking may be isolated from certain network services simply because private network entry is made through a public portal, i.e., the internet. It is also understood that in certain academic settings offering wireless connectivity, network usage may be limited upon detection of attached function attempts to seek unauthorized access to specified restricted network services. Further, the use of dynamic policy assignment has been defined and extended in co-pending U.S. patent application Ser. No. 10/629,331 entitled “System and Method for Dynamic Network Policy Management” of John Roese et al. and assigned to a common assignee. Even this work, however, leaves cases of insufficient information available to make proper Acceptable Use Policy (AUP) assignments or other dynamic policy decisions. Thus the network system is unable to provide proper services and unable to limit the traffic to and from an attached device sufficiently to: (a) protect the network from an unknown device; and (b) protect the device from attack by the network or from devices/attackers through the network infrastructure. This failure or inability to protect devices such as process or manufacturing control devices from attack by or through the network interface is the exact reason so few systems may be networked beyond the locked doors and well controlled physical access. Despite the benefit of data collection, software updates, and closed loop operation capabilities, the fear and reality of the device vulnerabilities limit the network extent and scale granted to these devices. Often these and other devices lack the security or software and features to interact in a secure network environment. Authentication capabilities may be non-existent; no human user may ever be associated with the device or device may have no interface for authentication, such as WiFi phones.